Data Protection Bill | Three changes that will sharpen draft Bill
The fourth avatar of India’s Digital Personal Data Protection Bill (DPDP) was released on November 18. The need for a data protection regimen in India can be traced back to the Supreme Court’s ruling on privacy in 2017.
image for illustrative purpose
The fourth avatar of India's Digital Personal Data Protection Bill (DPDP) was released on November 18. The need for a data protection regimen in India can be traced back to the Supreme Court's ruling on privacy in 2017.
In that landmark judgment, the Supreme Court recoginsed privacy as a fundamental right. It further acknowledged protecting personal data as a crucial instrument to protecting citizens' privacy, and called upon the government to formulate a data protection regimen. Therefore, protecting citizens' privacy is a pre-eminent if not an exclusive mandate of any data protection regimen. The latest proposed data protection regimen — the Digital Personal Data Protection Bill appears to have departed farther away from that mandate.
The DPDP awards a bundle of four rights to data principals. These include rights that are well regarded and intrinsic to personal data protection, i.e., Right to information about personal data, which empowers data principals to obtain a summary of their data being processed by data fiduciaries; Right to correction and erasure of personal data, which allows data principals to check their data for accuracy and request corrections; Right of grievance redress, which allows data principals to air grievances concerning the use of their personal data and seek redress and, finally, a Right to nominate, which allows data principals to appoint someone to exercise their data rights on their behalf.
First is a right related to automated decision-making. Automated decision-making has become a default feature of digital economy. These decisions ranging from the eligibility for a credit card to the next movie recommendation on an OTT platform, employ machine learning to process personal data. It is now well accepted that automated decisions must be accompanied by a simple (and not over-simplified) explanation of the rationale behind the decision. This is often called a right to explanation, which addresses to an extent the fear of black box algorithms, the potential for discrimination in automated decision-making, and allows data principals to exercise some leverage over automated systems. The previous versions of the Bill carried this right, and so do other leading legislation in the world. Re-instating this right would shield data principals from unintended fallouts of automated systems.
Second, a right to data portability, i.e., the data principal's ability to move their data across data fiduciaries. This ability to port data reflects the data principal's ability to control their personal data, and exert their claim over it. It is a tool to remedy the steep power imbalance between data principals and data fiduciaries.
Third, the right against harm. Given bounded rationality and lack of familiarity with digital environments, data principals are unable to anticipate the variety of harms that could realise from sharing their personal data. A right against harms translates into an obligation for data fiduciaries to ex-ante ensure their processing does not cause any foreseeable harm to data principals. In the current framework, only a small subset of significant data fiduciaries are bound by this obligation.
Replace Data Protection Board By Independent Regulator
The DPDP contemplates creating a board to oversee the implementation of the data protection regimen. This raises at least three concerns. First, the board appears to be steered by personnel appointed by the Union government. This could create conflicts of interest in so far as the government is one of the biggest data fiduciaries. Second, it appears that this board would not have regulatory powers or even the powers to compensate the data principals, raising concerns over its ability to effectively implement the law and redress grievances. Finally, independence of regulator is an important criterion for conducting business with the European Union and other jurisdictions that follow the General Data Protection Regulation (GDPR). The lack of an independent regulator could reflect poorly on India's adequacy under the GDPR.
Narrowing Exemptions Available Under DPDP
Section 18 (2) of the DPDP allows for the government to exempt itself or any of its agencies through a notification. The vastness of the power afforded by this section goes against the grain of the privacy judgment, which sets out that any restrictions on the right to privacy must be to pursue a legitimate or proportionate objective. Unfettered powers of exemption can open the provision to challenges of arbitrariness. Judicial oversight, or clearly defining conditions when these powers could be used could help this provision meet the muster of the Constitution.
Absent these changes, the DPDP will fall short of realising the constitutional guarantee of the right to privacy for 1.3 crore citizens.